Ramblings about security, rants about insecurity, occasional notes about reverse engineering, and of course, musings about malware. What more could you ask for?

Thursday, December 12, 2013

The courts STILL don't get it

You've probably seen the story of Eric Rosol, the man who was just ordered to pay $183,000 to Koch Industries for participating in a DDoS attack against their website.

According to publicly releasable information, the site only went offline for 15 minutes as a result of the attack. The attack itself reportedly lasted less than 5 minutes and Mr. Rosol only participated in the attack for 1 minute. As far as we know, Mr. Rosol did not initiate the attack, which was accomplished using Low Orbit Ion Cannon (LOIC). LOIC is a DDoS attack tool that supports crowd sourced attacks over IRC. Mr. Rosol might have connected his LOIC instance to IRC or manually started and stopped the attack (I don't know which one for sure, and it isn't relevant for this case). He does however admit that he participated in the attack.

So what were the damages?
The actual damages for a DDoS attack on a website are hard to quantify. If you took down amazon.com for instance, it would be easier to quantify the losses by examining a comparable sales period. But in the case of amazon.com, the website directly drives revenue. What happens when the site doesn't generate revenue directly? What if it's a site that only serves as a "front door" or advertisement for the company? Certainly a loss is still incurred when the site goes offline. Investors get scared about the company's security and real system admin time is used to monitor and respond to the incident. But these costs get pretty murky to quantify. In this case, Koch determined that the cost of the outage was $5,000.

Should Mr. Rosol be responsible for damages?
Personally, I think it's a big stretch to say that Mr. Rosol should even be responsible for the entire $5k cost (if that really is the cost). He may be the only person who was arrested in this specific case, but the first 'D' in DDoS means Distributed. There were lots of people involved. Now, please understand that I am not a lawyer, so I could be really wrong here. But when multiple people are captured on surveillance video performing acts of vandalism but only one is caught, are they fined for the entire damages? What if additional suspects are caught? Will they also be fined for the entire damages? That sounds dumb to me, since it appears that victims could obtain multiples of the actual damages.

Wait, was it $5,000 or $183,000?
So this is where the case gets strange, and quite honestly, infuriating. When Koch Industries suffered downtime due to the DDoS that Mr. Rosol participated in, they decided to bolster their defenses against future attacks. To that end, they hired outside security contractors. It isn't known what the expenses entail, but they reportedly spent $183,000 with the contractor. This value was used by the judge to order a fine for Mr. Rosol.

Mr. Rosol did the crime, he should pay.... right?
The $183,000 fine represents a significant misunderstanding on the part of the justice system about computer crime. If you disagree, work through this intellectual exercise with me. Suppose that Mr. Rosol committed a physical crime, such as forcibly blocking the entrance to a convenience store. He was only able to block access to the store for a short time before the police forcibly removed him from the premises. During the "blockade" the convenience store estimates that they lost $5,000 worth of business (a hard number to quantify). The convenience store does not want this type of attack to ever happen again. The store hires a contractor to study the event. The contractor realizes that Mr. Rosol exploited a design flaw in the store entrance layout that allowed him to block access in the first place. The contractor recommends changes to the store entrance, some of which are implemented. The total cost for the contractor and store renovations is $183,000. In this physical crime analogy, would Mr. Rosol be on the hook for the $183,000 spent studying the event and making store renovations? Of course not. I can't think of any examples where this might be true.

Great analogy, why did he get fined $183,000 then?
I have no idea why Mr. Rosol got fined so much. I don't have the transcript of the sentencing proceedings, but I'd love to know what Mr. Rosol's lawyer argued to the court. Did he or she use a similar analogy? If so, did the court fail to understand the argument or did it just not care? I predict that Mr. Rosol's fine will be challenged in the legal system. I don't know the legality of any challenge since Mr. Rosol plead guilty to the offense. In any case, I think that this is a wakeup call for everyone in the computer security field that the justice system still doesn't "get it." We need reform of the CFAA (the law under which Mr. Rosol was charged) and we need it now. We need better sentencing guidelines. But what we really need are courts that understand how technology and computer crime actually work.

3 comments:

I agree that people should be accountable for the damage and cost incurred as a result of their actions. I don't agree that they should be accountable for ensuring it doesn't happen again by someone else. To use another analogy, if you ran into a parked car (nobody inside) and didn't have insurance, would you be responsible for fully repairing the car and adding anti-tank armour to make sure it doesn't happen again.

The $5000 damage figure was not pulled out of thin air. That is the threshold for 18 US 1030 to kick in.The reason he got fined $183k is because the section specifically defines "loss" to include incident response and remediation.The CFAA has been broadened ridiculously from its original intent, which was to protect US government computers and financial institutions. It's good that there are laws protecting against computer crimes, but it would be nice if they were at least somewhat rational in design and enforcement.